Analysis
-
max time kernel
121s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
23-01-2024 01:28
Behavioral task
behavioral1
Sample
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe
Resource
win7-20231129-en
General
-
Target
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe
-
Size
280KB
-
MD5
681457fa460dff885eef657f166d5ef8
-
SHA1
44cac83393e0d6d083f0f2ae064090e2478f715b
-
SHA256
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f
-
SHA512
369d299957327e6260f636933756054a0cd6ca78c4e585544aaac56c87fc6da8c9140e0ab0db51c601c06b95566ffa75d1f9699bc53369994eb0ab6d19eb2180
-
SSDEEP
6144:s068sLPlQBdpbFl37RYeuFAeQKWQcAfoOGCR/4jTHazM80WLXTT9Bvl:s068sLPlQBdpbFl3l0FAepWQcMdu+Ymt
Malware Config
Signatures
-
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1728 cmd.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Checks processor information in registry 2 TTPs 2 IoCs
Processor information is often read in order to detect sandboxing environments.
Processes:
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exedescription ioc process Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe -
Delays execution with timeout.exe 1 IoCs
Processes:
timeout.exepid process 1132 timeout.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.execmd.exedescription pid process target process PID 2724 wrote to memory of 1728 2724 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 2724 wrote to memory of 1728 2724 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 2724 wrote to memory of 1728 2724 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 2724 wrote to memory of 1728 2724 381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe cmd.exe PID 1728 wrote to memory of 1132 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 1132 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 1132 1728 cmd.exe timeout.exe PID 1728 wrote to memory of 1132 1728 cmd.exe timeout.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"1⤵
- Checks processor information in registry
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\system32\cmd.exe" /c rd /s /q C:\Users\Admin\AppData\Local\Temp\yyvJvClPkQhb & timeout 4 & del /f /q "C:\Users\Admin\AppData\Local\Temp\381333799197cdf21b4d12d9ce83587673c52b336547a5425bbd9c69bba00d5f.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
PID:1728 -
C:\Windows\SysWOW64\timeout.exetimeout 43⤵
- Delays execution with timeout.exe
PID:1132